EXTENDED KEY PREPARING APPARATUS, EXTENDED KEY PREPARING 
METHOD, RECORDING MEDIUM AND COMPUTER PROGRAM 



FIELD OF THE INVENTION 

The present invention relates to an extended key 
preparing apparatus and method as well as to a recording 
medium and computer program, and particularly to an extended 
key preparing apparatus by which an extended key required 
in the case where common key cryptosystem is applied can 
be safely prepared at a high speed, a process for preparing 
such an extended key, and a recording medium and computer 
program used therefor. 

BACKGROUND OF THE INVENTION 

Common key cryptosystem wherein a cryptographic key 
being commonly used in both transmission and reception sides 
has been heretofore known. Fig. 8 is an explanatory view 
for explaining cryptographic processing in accordance with 
usual common key cryptograph. As shown in Fig. 8, the 
cryptographic equipment is composed of an extended key 
preparing means for preparing an extended key for 
cryptographic key, and a cryptographic processing means for 
encrypting a plaintext by the use of such extended key. 

More specifically, since n-stages of cryptographic 
processing, i.e., cryptographic processing 1 to 



cryptographic processing n are implemented in the 
cryptographic processing equipment, extended key 1 to 
extended key n necessary for the n-stages of cryptographic 
processing are successively prepared in the extended key 
5 preparing means . 

Accordingly, it is a very important problem in that 
a safe extended key is how rapidly prepared by the extended 
key preparing means in case of adopting common key 
crypto system. 

10 In this connection, according to DES (Data Encryption 

Standard) cryptograph, extended keys 1 to n are prepared 
from a cryptographic key by means of only cyclical shifting 
and bit transposition, whereby a preparation of extended 
keys is realized at a high speed as shown in Fig. 9. 

15 Furthermore, a process for preparing extended keys 

by means of MARS has been known as a process for preparing 
safer extended keys (a candidate cipher for AES, The First 
AES Conference, 1998, pages 1 - 9) . 

According to the above described DES cryptograph, 

20 however, an extended key is prepared by only cyclical shifting 
and bit transposition as shown by a mark in Fig. 9, so 
that there are problems in view of safety . More specifically, 
even if information has been leaked as to one key among the 
number n of extended keys prepared by extended key preparing 

25 equipment, a cryptographic key itself to be input to extended 
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key preparing equipment becomes clear in this DES 
cryptosystem, whereby problems of safety arise. 

On the other hand, according to the above described 
MARS extended key preparing apparatus, information of a 
5 cryptographic key cannot be easily acquired from information 
of an extended key, so that there is no problem as to safety 
like in DES cryptosystem. However, another problem in such 
that many calculations must be repeated in the process, 
whereby the operations require much time arises. 
10 From the matters described above, it has been a very 

important problem that a safe extended key required in case 
of applying common key cryptosystem is how rapidly prepared. 

SUMMARY OF THE INVENTION 

15 It is an object of the present invention to provide 

an extended key preparing apparatus by which an extended 
key required in the case where common key cryptosystem is 
applied can be safely prepared at a high speed, a process 
for preparing such an extended key, and a recording medium 

20 used therefor. 

An extended key preparing apparatus of a first aspect 
wherein extended keys are prepared in common key cryptosystem 
from a cryptographic key input, comprises a dividing means 
for dividing binary digit string of the cryptographic key 

25 into a plurality of elements each composed of a predetermined 
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bit length (corresponding to the intermediate data preparing 
means 4 of Fig. 1); an intermediate data preparing means 
for preparing a plurality of intermediate data by applying 
a plurality of times an operation wherein a predetermined 
5 constant is used to the respective elements divided by the 
dividing means (corresponding to the intermediate data 
preparing means 4 of Fig. 1) ; a selecting means for selecting 
a plurality of intermediate data corresponding to the number 
of stages of extended keys from the plurality of the 

10 intermediate data prepared by the intermediate data 
preparingmeans ( corresponding to the extended key preparing 
means 5 of Fig. 1); and an extended key preparing means 
for preparing the extended keys corresponding to the number 
of stages by converting irreversibly the plurality of the 

15 intermediate data selected by the selecting means 
(corresponding to the extended key preparing means 5 of 
Fig. 1) . 

According to the invention of the first aspect, binary 
digit string of the cryptographic key is divided into a 

20 plurality of elements each composed of a predetermined bit 
length; a plurality of intermediate data are prepared by 
applying the plurality of times an operation wherein a 
predetermined constant is used to the respective elements; 
a plurality of intermediate data corresponding to the number 

25 of stages of extended keys are selected from the plurality 
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of the intermediate data prepared; and the extended keys 
corresponding to the number of stages are prepared by- 
converting irreversibly the plurality of the intermediate 
data selected, whereby such extended keys required in the 
5 case where common key cryptosystem is applied can be safely 
prepared at a high speed. 

Furthermore, an extended key preparing method of a 
eleventh aspect wherein extended keys are prepared in common 
key cryptosystem from a cryptographic key input, comprises 

10 a dividing step for dividing binary digit string of the 
cryptographic key into a plurality of elements each composed 
of a predetermined bit length; an intermediate data 
preparing step for preparing a plurality of intermediate 
data by applying the plurality of times an operation wherein 

15 a predetermined constant is used to the respective elements 
divided by the dividing step; a selecting step for selecting 
a plurality of intermediate data corresponding to the number 
of stages of extended keys from the plurality of the 
intermediate data prepared by the intermediate data 

20 preparing step; and an extended key preparing step for 
preparing the extended keys corresponding to the number 
of stages by converting irreversibly the plurality of the 
intermediate data selected by the selecting step. 

According to the invention of the eleventh aspect, 

25 binary digit string of the cryptographic key is divided 
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into a plurality of elements each composed of a predetermined 
bit length; a plurality of intermediate data are prepared 
by applying the plurality of times an operation wherein 
a predetermined constant is used to the respective elements; 
5 a plurality of intermediate data corresponding to the number 
of stages of extended keys are selected from the plurality 
of the intermediate data prepared; and the extended keys 
corresponding to the number of stages are prepared by 
converting irreversibly the plurality of the intermediate 

10 data selected, whereby such extended keys required in the 
case where common key cryptosystem is applied can be safely 
prepared at a high speed. 

Furthermore, a computer readable recording medium and 
computer program of a twenty-first aspect wherein an extended 

15 key preparing program in which extended keys are prepared 
in common key cryptosystem from a cryptographic key input 
is to be recorded, comprises recording the program containing 
a dividing step for dividing binary digit string of the 
cryptographic key into a plurality of elements each composed 

20 of a predetermined bit length; an intermediate data 
preparing step for preparing a plurality of intermediate 
data by applying the plurality of times an operation wherein 
a predetermined constant is used to the respective elements 
divided by the dividing step; a selecting step for selecting 

25 a plurality of intermediate data corresponding to the number 
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of stages of extended keys from the plurality of the 
intermediate data prepared by the intermediate data 
preparing step; and an extended key preparing step for 
preparing the extended keys corresponding to the number 
5 of stages by converting irreversibly the plurality of the 
intermediate data selected by the selecting step. 

According to the invention of the twenty-first aspect, 
binary digit string of the cryptographic key is divided 
into a plurality of elements each composed of a predetermined 

10 bit length; a plurality of intermediate data are prepared 
by applying the plurality of times an operation wherein 
a predetermined constant is used to the respective elements ; 
a plurality of intermediate data corresponding to the number 
of stages of extended keys are selected from the plurality 

15 of the intermediate data prepared; and the extended keys 
corresponding to the number of stages are prepared by 
converting irreversibly the plurality of the intermediate 
data selected, whereby such extended keys required in the 
case where common key cryptosystem is applied can be safely 

20 prepared at a high speed. 

Other objects and features of this invention will 
become apparent from the following description with 
reference to the accompanying drawings. 

25 BRIEF DESCRIPTION OF THE DRAWINGS 
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Fig . 1 is a block diagram showing the whole construction 
of cryptographic equipment used in the present embodiment; 

Fig. 2 is a flowchart illustrating processing steps 
for preparing an extended key from a cryptographic key by 
5 means of the extended key processing equipment shown in Fig. 
1; 

Fig. 3 is an explanatory diagram for explaining a 
concept for preparing intermediate data by means of the 
intermediate data preparing equipment shown in Fig. 1; 
10 Figs. 4(a) and 4(b) are explanatory diagrams each for 

explaining a concept for preparing an extended key from the 
intermediate data by means of the extended key preparing 
apparatus shown in Fig. 1; 

Figs. 5(a), 5(b), and 5(c) are explanatory diagrams 
15 each for explaining selection of data by means of the selected 
value deciding equipment as well as rearrangement of data 
by means of the data rearrangement processing equipment shown 
in Figs . 4 (a) and 4 (b) ; 

Figs. 6(a), 6(b), and 6(c) are explanatory diagrams 
20 (No. 1) each for explaining an example of operations for 
a nonlinear type function conducted by the intermediate data 
preparing equipment shown in Fig. 1 ; 

Figs. 7(d) and 7(e) are explanatory diagrams (No. 2) 
each for explaining another example of operations for the 
25 nonlinear type function conducted by the intermediate data 



preparing equipment shown in Fig. 1; 

Fig. 8 is an explanatory diagram for explaining 
cryptographic processing by means of a usual common key 
cryptography; and 
5 Fig. 9 is a block diagram illustrating a conventional 

algorithm based on DES cryptography. 

DESCRIPTION OF THE PREFERRED EMBODIMENT 

Apref erred embodiment applied suitably for an extended 

10 key preparing apparatus, an extended key preparing method, 
and a recording medium according to the present invention 
will be described in detail hereinafter by referring to the 
accompanying drawings . 

First, the whole construction of cryptographic 

15 equipment used in the present embodiment will be described. 
Fig . 1 is a block diagram illustrating the whole construction 
of the cryptographic equipment 1 used in the present 
embodiment. As shown in Fig. 1; the cryptographic equipment 
1 is the one which prepares an extended key 1 to an extended 

20 key n from a cryptographic key in the case when a plaintext 
or the cryptographic key is input, and encrypts the plaintext 
by the use of the extended keys 1 to n prepared. 

The cryptographic equipment 1 involves cryptographic 
processing equipment 2 for effecting cryptographic 

25 processing of a plaintext, and an extended key processing 
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equipment 3 for preparing extended keys 1 to n required for 
encryption in the cryptographic processing equipment 2. 

The cryptographic processing equipment 2 performs 
cryptographic processing (1) to (n) of n-stages by the use 
5 of the extended keys 1 to n to prepare a ciphertext 
corresponding to the plaintext, and the resulting ciphertext 
is output. In the cryptographic processing of n-stages (1) 
to (n) , each cryptographic processing is carried out after 
receiving the extended keys 1 to n prepared in the extended 

10 key processing equipment 3, and the ciphertext is output 
from the final stage wherein the cryptographic processing 
(n) is carried out. 

The extended key processing equipment 3 is the one 
for preparing the extended keys 1 to n, which are to be supplied 

15 to the cryptographic processing equipment 2 from a 
cryptographic key which has been input, and which is provided 
with intermediate data preparing equipment 4 and an extended 
key preparing equipment 5 . It is to be noted that the present 
embodiment of the invention is characterized in that an 

20 extended key is prepared by such a manner that an intermediate 
data is once prepared by means of the intermediate data 
preparing equipment 4, and then the extended key is prepared 
by the use of the intermediate data thus prepared, unlike 
a conventional manner wherein an extended key is prepared 

25 simply from a cryptographic key. 
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The intermediate data preparing equipment 4 is a 
processing section for preparing intermediate data composed 
of respective elements of ai, bj., Ci, and di (i = 0, 1, and 
2) at the time when a cryptographic key is input. In the 
5 present embodiment, an explanation is made on the case where 
intermediate data a 0 to a 2 , b 0 to b 2 , c 0 to c 2 , and d 0 to d 2 
are prepared in case of "i = 0, 1, and 2" for the convenience 
of explanation. While the detailed explanation will be made 
later, intermediate data are prepared by means of nonlinear 

10 type function, exclusive OR, addition, and multiplication 
in the intermediate data preparing equipment 4 . 

The extended key preparing equipment 5 is a processing 
section for preparing extended keys of the number 
corresponding to the specified number r of stages from the 

15 intermediate data which have been prepared by the 
intermediate data preparing equipment 4 . More specifically, 
one each of elements (for example, ai, b 0 , c lf and d 2 ) is 
selected from the respective elements a 0 to a 2 , b 0 to b 2 , c 0 
to c 2 , and d 0 to d 2 , the respective elements thus selected 

20 are rearranged, for example, in such that b 0 , a lf d 2 , and 
Ci, and a predetermined calculation is made on the rearranged 
elements to prepare the extended keys 1 to n. 

Next, processing steps for preparing extended keys 
from a cryptographic key by means of the extended key 

25 processing equipment 3 shown in Fig. 1 will be described 
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hereinafter. In this connection, Fig. 2 is a flowchart 
showing processing steps for preparing extended keys from 
a cryptographic key by the use of the extended key processing 
equipment 3 shown in Fig. 1. 
5 As shown in Fig. 2, when a plaintext is input together 

with a cryptographic key (user key) by a user (step SI), 
the cryptographic key is incorporated into the intermediate 
preparing equipment 4. 

Thereafter, the intermediate processing equipment 4 

10 divides binary digit strings of the cryptographic key into 
data k 0 to k 7 of eight groups, and an operation wherein the 
undermentioned nonlinear type function M is applied is made 
upon these data k 0 to k 7 to acquire data k 0 ' to k 7 ' (step S2) . 

Then, a constant is added to each of even number-th 

15 data k 0 ' / k 2 ' , k 4 ' , and k s ' (step S3), while odd number-th 
data ki' , k 3 ' , k 5 ' , and k 7 ' are multiplied by the constant 
(step S4) , thereafter exclusive OR operation is implemented 
with respect to the even number-th data to each of which 
was added the constant as well as to the odd number-th data 

20 with each of which is multiplied by the constant (step S5) , 
and then, a nonlinear type f unctionMis applied to the results 
operated (step S6) , whereby intermediate data ai to di are 
prepared. In this case, however, since the i takes values 
of 0, 1, and 2, intermediate data a 0 to a 2 , b 0 to b 2 , c 0 to 

25 c 2 , and d 0 to d 2 , are obtained, in reality. 



12 



Thereafter, when the number r of stages of extended 
keys is input (step S7) , corresponding data are selected 
from the intermediate data which have been already prepared 
(step S8), whereby the selected data are transposed in 
5 accordance with the number r (step S9) . Then, irreversible 
conversion G is applied to the intermediate data after the 
transposition (step S10) to output an extended key of the 
r-th stage (step Sll) . 

In the case when another extended key is required to 
10 be prepared (step S12; YES) , it shifts to the above described 
step S7, and the same processing is repeated, while preparing 
process of extended key is completed in the case when a 
preparation of required extended keys was finished (step 
S12; NO) . 

15 As described above, when the processing in the above 

steps SI to S6 is carried out, the intermediate data of ai 
to di wherein i = 0, 1, and 2 can be prepared. Furthermore, 
when the processing in the steps S7 to S12 is implemented, 
extended keys to which have been applied irreversible 

20 conversion can be prepared at a high speed by the use of 
the intermediate data prepared in the steps SI to S6. 

Next, a concept of preparing intermediate databymeans 
of the intermediate data preparing equipment 4 shown in Fig. 
1 will be described in more detail . In this connection, Fig. 

25 3 is an explanatory diagram for explaining the concept of 
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preparing intermediate data by means of the intermediate 
data preparing equipment 4 shown in Fig. 1. In Fig. 3, symbols 
"k 0 to k 7 " designate binary digit strings which are obtained 
by dividing bit strings of a cryptographic key into eight 
5 groups, respectively, "M" is nonlinear type function 
operation, means addition of a constant, "x" means 

multiplication of a constant, and symbols "ai to di" denote 
intermediate data. 

As shown in Fig. 3, the intermediate data preparing 

10 equipment 4 divides binary digit strings of the cryptographic 
key into data k 0 to k 7 of eight groups. For instance, when 
the cryptographic key is composed of 128 (32 x 4) bits, the 
initial 32 bits correspond to k 0 , the next 32 bits correspond 
to ki, the following 32 bits are identified by k 2 , and the 

15 further following 32 bits are identified as k 3 wherein there 
are the following relationships, i.e., k 4 = k 0 , k 5 = ki, k 6 
= k 2 , and k 7 = k 3 , respectively. Thus, 32 bits each of data 
k 0 to k 7 are obtained. 

Furthermore, when the cryptographic key is composed 

20 of 192 (32x 6) bits, k 0 to k 5 arepreparedwherein relationships 
k 6 = k 0 , and k 7 = ki are established. Still further, when 
the cryptographic key is composed of 256 (32 x 8) bits, the 
cryptographic key is divided into 32 bits each to obtain 
32 bits each of data k 0 to k 7 . According to the manner 

25 described above, a cryptographic key may be divided into 
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32 bits each of data k 0 to k 7 , even if the cryptographic key 
has any length of 128 bits, 192 bits or 256 bits. 

Thus, as shown in Fig. 3, a nonlinear type function 
M is applied to the respective data of k 0 to k 7 to obtain 
5 32 bit data of k 0 ' to k 7 ' corresponding respectively to the 
data k 0 to k 7 . Then, a constant is added to even number-th 
data k 0 ' , k 2 ' , k 4 ' , and k 6 f , respectively, while odd number-th 
data ki' , k 3 ' , k 5 ' and k 7 ' are multiplied by the constant, 
respectively . 

10 Thereafter, exclusive OR operation is subjected to 

a bit string of a even number-th data to which was added 
a constant (e.g., k 0 ' +M(4i)) and an odd number-th bit string 
to which was multiplied by the constant (e.g., ki' x (i + 
1)), respectively, and further the nonlinear type function 

15 Mis applied to these operated results toprepare intermediate 
data ai to di . 

It is to be noted herein that constants used in the 
above-described steps S4 to S6 are M(4i) and (i+1) as shown 
in Fig. 3 wherein i takes a value of 0, 1, or 2, whereby 

20 intermediate data a 0 to a 2 , b 0 to b 2 , c 0 to c 2 , and d 0 to d 2 
are obtained. 

Next, a concept for preparing extended key from 
intermediate data by means of the extended key preparing 
equipment 5 shown in Fig. 1 will be described in more detail. 

25 In this connection, Figs. 4(a) and 4(b) are explanatory 
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diagrams each for explaining a concept for preparing extended 
key from intermediate data by the use of the extended key 
preparing equipment 5 shown in Fig. 1. 

As shown in Fig. 4(a), the extended key preparing 
5 equipment 5 is provided with a selector value deciding device, 
selectors, a data rearrangement processing device, and a 
G (X, Y, Z, W) calculating device. The selected value 
deciding device is a one for deciding xr, yr, zr, and wr 
indicating respective elements a, b, c, and d to be selected 

10 from among the respective intermediate data a if b if a, and 
di (i = 0, 1, or 2) based on the number of stages r of an 
extended key to be prepared. 

A selector selects intermediate data a (X r ) , b ( Y r ) , c ( Z r ) , 
and d(W r ), respectively, in accordance with the x r , y r , z r , 

15 and w r decided by the selector value deciding device. 

The data rearrangement processing device rearranges 
(transposes) the data a(X r ), b(Y r ), c(Z r ), and d(W r ) based 
on the number of stages r . More specifically, transpositions 
corresponding to the number of stages r are implemented as 

20 shown in Fig. 5(c), which will be described hereinafter. 

The G(X, Y, Z, w, and r) calculating device prepares 
an extended key E x Key r based on the data (X, Y, Z, and W) 
after the rearrangement. The construction of the G(X, Y, 
Z, W, and r) calculating device is as shown in Fig. 4(b) . 

25 In the same figure, a representation "<«1" means 1 bit 
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leftward cyclical shifting for shifting bit string of data 
cyclically leftwards by 1 bit, means addition of two 

data, means for subtracting a certain data from another 
data, and "©" means exclusive OR. 
5 In the following, procedure steps for preparing an 

extended key by means of the extended key preparing equipment 
5 will be described. As shown in Fig. 4 (a) , when the number 
of stages r is input, the corresponding data are selected 
from among intermediate data, and the data selected are 

10 transposed in accordance with the number r. More 
specifically, one data is selected in every elements in such 
a manner that ai is selected from among a 0 to a 2 , while b 0 
is selected from among bo to b 2 . 

For instance, when "a u b 0 , Ci, and d 2 " are selected, 

15 they are transposed into "b 0 , a X/ d 2 , and c x " wherein X = b 0 , 
Y = ai, Z = 6.2, and W = ci, respectively, in the case shown 
in Fig. 4. 

Then, irreversible conversion is applied the 
irreversible conversion G to the intermediate data after 

20 the transposition thereof to output an extended key in the 
r-th stage. More specifically, the data X is sifted 
cyclically leftwards by 1 bit, it is added to the data Y, 
besides the data Z is shifted cyclically leftwards by 1 bit, 
and the dataWis subtracted therefrom whereby it is cyclically 

25 shifted leftwards by 1 bit. Then, results of the both data 
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were subjected to exclusive OR operation to produce the 
extended key r in the r-th stage. 

Next, selection of data by means of the selected value 
deciding equipment as well as rearrangement of data by means 
5 of the data rearrangement processing equipment shown in Fig. 
4 (a) will be described in more detail. In this connection, 
Figs . 5(a), 5 (b) , and 5 (c) are explanatory diagrams for each 
explaining the selection of data by means of the selected 
value deciding equipment as well as the rearrangement of 
10 data by means of the data rearrangement processing equipment 
shown in Fig. 4(a). 

Fig. 5(a) expresses equations (1), which is applied 
at the time when intermediate data to be selected is selected 
by the selected value deciding equipment, and they are as 
15 follows: 

x r = z r = r mod 3 

y r = w r = r + [r/3] mod 3 
as expressed in equations (1) . 

Fig. 5(b) is a diagram illustrating schematically the 
20 equations (1) shown in Fig. 5(a) wherein numerical values 
corresponding to that, which are to be selected from one 
of three numbers of 0, 1, and 2 are indicated in the case 
where the number of stages is r, and a group composed of 
nine numbers are cycled. 
25 When a value corresponding to the number of stages 
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r (one of three numbers i = 0, 1, and 2 ) is decided in accordance 
with Fig. 5(a) or Fig. 5(b), (X r , Y r , Z r , andW r ) corresponding 
to the number of stages r can be selected from the number 
i each of intermediate data shown in Fig. 4(a). 
5 Fig. 5(c) shows an order table that is used in the 

case where rearrangement is implemented by means of the data 
rearrangement processing equipment. This order table 
functions to decide an order in the case where the intermediate 
data (X r , Y r , Z r , and W r ) of the number of stages r selected 

10 in Fig. 5(a) or Fig. 5(b) are rearranged (replaced). More 
specifically, rearrangement is carried out in accordance 
with the order table wherein the number of stages r on the 
left side are allowed to correspond to orders for 
rearrangement on the right side in the figure. 

15 For instance, when "ai, b 0/ <Z\, and d 2 " are selected, 

it becomes "ai, b 0 , Ci, and d 2 " in the case where the number 
of stages is 0, it comes to be "b 0 , ai, d 2 , and c x " in the 
case where the number of stages is 1, and further it becomes 
"d 2 , Ci, b 0 , and ai" in the case where the number of stages 

20 is 2. 

Next, an example of nonlinear type function operation 
performed by the intermediate data preparing equipment 4 
shown in Fig. 1 will be described. It is to be noted that 
the present invention is not limited to this nonlinear type 
25 operation, but a variety of nonlinear type operations may 
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also be applied. Figs. 6(a), 6(b), and 6(c) as well as Figs . 
7(d) and 7(e) are explanatory diagrams for each explaining 
an example of nonlinear type function operation carried out 
by the intermediate data preparing equipment 4 shown in Fig. 
5 1. 

Fig. 6(a) illustrates an example of the whole 
construction of operation for the nonlinear type function 
M wherein a case where the nonlinear type function M is 
operated by applying a user key (cryptographic key) m of 
10 32 bits to prepare a result w of 32 bits is shown. 

As illustrated, a user key of 32 bits is divided herein 
into m 0 , m a , m 2 , m 3 , m 4 , and m 5 of 6, 5, 5, 5, 5, and 6 bits, 
respectively. Then, values x are converted into those of 

55 (x) as to mi, m 2 , m 3 , and m 4 which are divided into 5 bits, 
15 respectively, in accordance with the table of S5 (x) shown 

in Fig. 6 (b) . 

Likewise, values of x are converted into values of 

56 (x) as to m 0 , and m 6 divided in 6 bits, respectively, in 
accordance with S6 (x) shown in Fig. 6(c), whereby data v 

20 shown in Fig. 6(a) is prepared. 

Thereafter, values of MDS (x) shown in Fig. 7(d) are 
placed at respective positions of a determinant shown in 
Fig. 7(e), besides data v are also disposed in the determinant 
concerning the determinant shown in Fig. 7(e) , and both the 

25 values are subjected to matrix computation to calculate 
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values w. Thus, results (operation results of nonlinear type 
function M) by means of an XOR calculating device wherein 
the MDS of Fig. 6(a) is used are obtained. 

Next, processing in the first stage for preparing 
5 intermediate data from a cryptographic key which has been 
already explained as well as processing in the second stage 
for preparing extended keys of the number of stages r assigned 
by the intermediate data will be described by the use of 
mathematical models and signs. 

10 (1) Processing in the first stage (processing for 

preparing intermediate data from a cryptographic key) : 

(1-1) A cryptographic key of 256 bits is divided into 
eight data k 0 , k lt k 7 in every 32 bits (see Fig. 3). 

(1-2) intermediate data ai, bi, ci, and di (i = 0, 1, 

15 2) are prepared in accordance with calculations of the 
following paragraphs (1-3) to (1-6) by utilizing nonlinear 
type function M to which is input data of 32 bits that was 
divided in the paragraph (1-1) , while which outputs the data 
of 32 bit (see Fig. 3) . Furthermore, process steps (3-1) 

20 to (3-6) are executed with respect to the nonlinear type 
function M. 

(1-3) ai = M (Ta (k 0 , i) XOR Ua (k x , i) wherein Ta (k 0 , 
i) = M (k 0 ) + M (4i) , Ua (ki, i) = M (k a ) x (i + 1) is calculated. 
XOR represents an exclusive OR operation. 
25 d" 4 ) bi = m (Tb (k 2 , i) xor ub (k 3 , i) wherein Tb (k 3 , 
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i) = M (k 2 ) + M (4i+l) , Ub (k 3 , i) = M (k 3 ) x (i+1) is calculated. 

(1-5) ci = M (Tc (k 4 , i) XOR Uc (k 5 , i) wherein Tc (k 4 , 
i) =M (k 4 ) + M (4i+2) , Uc (k 5/ i) =M (k 5 ) x (i+1) is calculated. 

(1-6) di = M (Td (k 6 , i) XOR Ud (k 7 , 1)) wherein Td 
5 (k 6 , i) = M (k 6 ) + M (4i + 3), Ud (k 7 , i) = M (k 7 ) x (i+1) is 
calculated . 

(2) Processing in the second stage (processing for 
preparing extended keys of the number of stages r from 
intermediate data) : 
10 (2-1) Calculation is made with respect to extended 

keys E x Key r of the number of stages r (r = 0, 1, and 2) in 
accordance with the following paragraphs (2-2) to (2-4) (see 
Fig. 4 (a) ) . 

(2-2) A progression X, Y, Z, W represented by Xr = 
15 Zr = r mod 3, Yr = Wr = r + [r/3] mod 3 (Equation (1)) is 
used to obtain (X, Y, Z, W) = (a (Xr) , b (Yr), c (Zr), d 
(Wr) ) . 

(2-3) Data rearrangement represented by (X, Y, Z, W) 
= ORDER_12 (X, Y, Z, W, r' ) wherein ORDER_12 (X, Y, Z, W, r' ) 
20 is the one shown in Fig. 5(c) is made with respect to r' 
satisfying r' = (r + [r/36]) mod 12. 

(2-4) Extended keys of the number of stages r are 
calculated by means of E x Key r = G (X, Y, z, W) wherein G (X, 
Y, z, w) = ( (x «< l) + Y) XOR ( ( (z <« 1) - W) «< l) , and 
25 «< 1 indicates 1 bit leftward cyclical shifting (see Fig. 
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4 (b) ) . 

(3) Operation processing of nonlinear type function 

M: 

(3-1) In accordance with the following paragraphs 
5 (3-2) to (3-6) , result w of 32 bits is output from input 
m of 32 bits (see Fig. 6(a)). 

(3-2) The input m is bit-divided to acquire values 
mo, 1R5 in the following forms: 

m 0 = (the 5th bit from the Oth bit of m) 
10 mi = (the 10th bit from the 6th bit of m) 

m 2 = (the 15th bit from the 11th bit of m) 
m 3 - (the 20th bit from the 16th bit of m) 
m 4 = (the 25th bit from the 21st bit of m) 
m 5 = (the 31st bit from the 26th bit of m) 
15 (3-3) A nonlinear type transformation function S 5 

which outputs 5 bits in respect of input of 5 bits as well 
as a nonlinear type conversion function S s which outputs 
6 bits in respect of input of 6 bits wherein S 5 and S s are 
those shown in Figs . 6(b) and 6(c), respectively, are used 
20 to acquire the following results: 
so = S 6 (m 0 ) 
Si = S 5 (mi) 
s 2 = S 5 (m 2 ) 
s 3 = S 5 (m 3 ) 
25 s 4 = S 5 (m 4 ) 
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s 5 = S 6 (m 5 ) 

(3-4) An equation v - sO | si | s2 | s3 | s4 | s5 wherein " | " 
represents link of bit values is calculated. 

(3-5) An equation w = (vO x MDS (0)) XOR (vl x MDS 
5 (1)) XOR ... XOR (v 31 x MDS (31)) wherein vi x MDS (i) 
is 0 in case of vi = 0, while it is MDS (i) in case of vi 
= 1, by means of the conversion table MDS which is output 
32 bits from the bit value vi that is the i-th v and the 
input of 5 bits, and MDS is the one shown in Fig. 7(d) is 
10 calculated. 

(3-6) The system outputs w. 

As mentioned above, the present embodiment is 
constructed in such that intermediate data ai, b ir a, and 
di are prepared by the intermediate data preparing equipment 

15 4 from a cryptographic key through a nonlinear type function 
operation and the like , the extended key preparing equipment 
5 selects a [Xr] , b [Yr] , c [Zr], and d [Wr] corresponding 
to the number of stages r from the intermediate data, and 
rearranges the data as well as implements that of bit 

20 operation to prepare extended keys. As a result, safe 
extended keys can be prepared from a cryptographic key at 
a high speed. 

More specifically, the present invention has such a 
construction in that intermediate data are prepared from 

25 a cryptographic key in the first stage, arbitrary data are 
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selected from the intermediate data to effect irreversible 
conversion in the second stage, whereby extended keys of 
an arbitrary number of extended keys are prepared. Thus, 
it becomes possible to prepare the extended keys at a high 
5 speed through irreversible conversion, whereby safety in 
common key system can be elevated. 

As a result, the present invention provides the 
following advantages. 

(1) For instance, although a significant period of 
10 time is required for preparing one intermediate data, the 

number of intermediate data required can be reduced by the 
extended key preparing equipment 5, whereby extended keys 
each having high safety can be prepared at a high speed. 

(2) in the case where only extended keys, which will 
15 be required are prepared on the course of processing for 

encryption or decryption without storing all of extended 
keys E s Key 0 , E x Keyi, . . ., E x Key n -i prepared, only the extended 
keys which correspond to the number of stages r assigned 
can be prepared at a high speed. 

20 Further explanation will be made in this respect, in 

a common key cryptosys tern, in general, when extended keys 
are used in an order of E x Key 0 , E x Keyx, E x Key n _! in 

encryption, the extended keys are employed in the reverse 
order of that in the encryption in such order of E x Key n -i, 

25 E x Keyi, E x Key 0 in decryption. In this case, when successive 
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preparation is made in accordance with an extended key 
preparing apparatus wherein a value of E x Key 0 is required 
for preparing E x Keyi (see Fig. 9 mentioned already), E x Keyi 
cannot be directly prepared, but E x Key 0 is previously 
5 prepared, and then E x Key! is prepared by the use of the former 
E x Key 0 . Accordingly, a period of time for preparing an 
extended key in decryption is longer than that of the 
encryption by an amount corresponding to the time as 
explained above. 

10 On the other hand, since extended keys can be prepared 

by assigning an arbitrary number of stages r independent 
from the other extended keys in the present embodiment, 
the same period of time is required in both of a case where 
extended keys are prepared in an order of E x Key 0 , E x Keyi, . . . , 

15 E x Key n _i and a case where extended keys are prepared in an 
order of E x Key n _i, E x Keyi, E x Key 0 . 

As described above, the present embodiment according 
to the invention exhibits such a remarkable advantage that 
even if extended keys are prepared successively, periods 

20 of time for processing encryption and decryption can make 
equal to each other, whereby an appearance of a longer period 
of time for preparing extended keys in decryption than that 
of encryption can be avoided. 

While only the case where i = 0, 1, and 2 has been 

25 described in the present embodiment for the convenience 
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of explanation, the present invention is not limited thereto, 
but it is also applicable for the case where i is 3 or more. 
Furthermore, although an example of nonlinear type function 
operation has been described herein, the invention is not 
5 limited thereto, but other one way functions such as 
so-called hash function and the like are applicable. 

As described above, according to the invention claimed 
in the first aspect, binary digit string of the cryptographic 
key is divided into a plurality of elements each composed 

10 of a predetermined bit length; a plurality of intermediate 
data are prepared by applying the plurality of times an 
operation wherein a predetermined constant is used to the 
respective elements; a plurality of intermediate data 
corresponding to the number of stages of extended keys are 

15 selected from the plurality of the intermediate data 
prepared; and the extended keys corresponding to the number 
of stages are prepared by converting irreversibly the 
plurality of the intermediate data selected, whereby there 
is an advantage to provide an extended key preparing 

20 apparatus by which such extended keys required in the case 
where common key cryptosystem is applied can be safely 
prepared at a high speed. 

According to the invention claimed in the second aspect, 
nonlinear type operation is effected with respect to the 

25 respective elements divided, whereby there is an advantage 
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to provide an extended key preparing apparatus by which 
bits forming a cryptographic key are diffused, so that safety 
in cryptograph can be much more increased. 

According to the invention claimed in the third aspect, 
5 when the cryptographic key is divided into eight elements 
of 32 bits, the nonlinear type operating means separates 
the elements into 6, 5, 5, 5, 5, and 6 bits to transpose 
the same into other data, respectively, and the data after 
transposition are subjected to nonlinear type operation by 
10 the use of a determinant, whereby there is an advantage to 
provide an extended key preparing apparatus by which 
nonlinear type operation can be efficiently carried out at 
a high speed. 

According to the invention claimed in the fourth aspect, 
15 a constant is added to an odd number-th element which has 
been subjected to nonlinear type operation; besides an even 
number-th element which has been subjected to nonlinear type 
operation is multiplied by the constant; and exclusive OR 
operation of both the odd number-th element and the even 
20 number-th element is effected, whereby there is an advantage 
to provide an extended key preparing apparatus by which 
intermediate data can be efficiently prepared. 

According to the invention claimed in the fifth aspect, 
the result of the exclusive OR operation is subjected to 
25 nonlinear type operation to prepare intermediate data, 
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whereby there is an advantage to provide an extended key 
preparing apparatus by which bits forming the result of the 
exclusive OR operation are further diffused, so that safety 
in cryptograph can be much more improved. 
5 According to the invention claimed in the sixth aspect, 

the plurality of times of additions and multiplications are 
repeated with the use of the number i of different constants, 
respectively, to prepare the number i of data in every 
elements; i times of operations for acquiring exclusive OR 

10 of the odd number-th element and the even number-th element 
which have been operated by the use of the same constants 
are repeated; and the number i of intermediate data are 
prepared in every elements, whereby there is an advantage 
to provide an extended key preparing apparatus by which 

15 a plurality of intermediate data can be prepared in every 
respective elements by a simple procedure. 

According to the invention claimed in the seventh aspect, 
one intermediate data corresponding to the number of stages 
of an extended key is selected among the number i of 

20 intermediate data contained in the respective elements 
prepared, whereby there is an advantage to provide an 
extended key preparing apparatus by which independency of 
a certain extended key can be maintained with respect to 
the other keys. 

25 According to the invention claimed in the eighth aspect, 
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a plurality of intermediate data selected are rearranged; 
and the plurality of intermediate data which have been 
rearranged are converted irreversibly, whereby there is an 
advantage to provide an extended key preparing apparatus 
5 by which unidirectional property of a certain cryptographic 
key towards extended keys can be maintained, so that even 
if a certain extended key leaks out, the cryptographic key 
can be held in secret. 

According to the invention claimed in the ninth aspect, 

10 when intermediate data are rearranged in an order of elements 
X, Y, 2, and W by the rearrangement means, a first data is 
prepared by adding the element Y to a data obtained by shifting 
cyclically the element X leftwards by 1 bit; a second data 
is prepared by sifting cyclically the data leftwards by 

15 further 1 bit, which data has been obtained by subtracting 
the element W from a data obtained by shifting cyclically 
the element Z leftwards by 1 bit; and exclusive OR of the 
first data and the second data is operated, whereby there 
is an advantage to provide an extended key preparing 

20 apparatus by which irreversible conversion can be 
efficiently implemented at a high speed. 

According to the invention claimed in the tenth aspect, 
a cryptographic key of 128 bits, 192 bits, or 256 bits is 
divided into eight elements of 32 bits, whereby there is 

25 an advantage to provide an extended key preparing apparatus 



30 



by which the extended key can be prepared by using the same 
logic, even if the number of bits input differs in extended 
key. 

According to the invention claimed in the eleventh 
5 aspect, binary digit string of the cryptographic key is 
divided into a plurality of elements each composed of a 
predetermined bit length; a plurality of intermediate data 
are prepared by applying the plurality of times an operation 
wherein a predetermined constant is used to the respective 

10 elements; a plurality of intermediate data corresponding 
to the number of stages of extended keys are selected from 
the plurality of the intermediate data prepared; and the 
extended keys corresponding to the number of stages are 
prepared by converting irreversibly the plurality of the 

15 intermediate data selected, whereby there is an advantage 
to provide an extended key preparing method by which such 
extended keys required in the case where common key 
cryptosystem is applied can be safely prepared at a high 
speed. 

20 According to the invention claimed in the twelfth aspect, 

nonlinear type operation is effected with respect to the 
respective elements divided, whereby there is an advantage 
to provide an extended key preparing method by which bits 
forming a cryptographic key are diffused, so that safety 

25 in cryptograph can be much more increased. 
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According to the invention claimed in the thirteenth 
aspect, when the cryptographic key is divided into eight 
elements of 32 bits, the nonlinear type operating means 
separates the elements into 6, 5, 5, 5, 5, and 6 bits to 
5 transpose the same into other data, respectively, and the 
data after transposition are subjected to nonlinear type 
operation by the use of a determinant, whereby there is an 
advantage to provide an extended key preparing method by 
which nonlinear type operation can be efficiently carried 

10 out at a high speed. 

According to the invention claimed in the fourteenth 
aspect, a constant is added to an odd number-th element which 
has been subjected to nonlinear type operation; besides an 
even number-th element which has been subjected to nonlinear 

15 type operation is multiplied by the constant; and exclusive 
OR operation of both the odd number-th element and the even 
number-th element is effected, whereby there is an advantage 
to provide an extended key preparing method by which 
intermediate data can be efficiently prepared. 

20 According to the invention claimed in the fifteenth 

aspect, the result of the exclusive OR operation is subjected 
to nonlinear type operation to prepare intermediate data, 
whereby there is an advantage to provide an extended key 
preparing method by which bits forming the result of the 

25 exclusive OR operation are further diffused, so that safety 
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in cryptograph can be much more improved. 

According to the invention claimed in the sixteenth 
aspect, the plurality of times of additions and 
multiplications are repeated with the use of the number i 
5 of different constants, respectively, to prepare the number 
i of data in every elements; i times of operations for 
acquiring exclusive OR of the odd number-th element and the 
even number-th element which have been operated by the use 
of the same constants are repeated; and the number i of 

10 intermediate data are prepared in every elements, whereby 
there is an advantage to provide an extended key preparing 
method by which a plurality of intermediate data can be 
prepared in every respective elements by a simple procedure. 
According to the invention claimed in the seventeenth 

15 aspect, one intermediate data corresponding to the number 
of stages of an extended key is selected among the number 
i of intermediate data contained in the respective elements 
prepared, whereby there is an advantage to provide an 
extended key preparing method by which independency of a 

20 certain extended key can be maintained with respect to the 
other keys. 

According to the invention claimed in the eighteenth 
aspect, a plurality of intermediate data selected are 
rearranged; and the plurality of intermediate data which 
25 have been rearranged are converted irreversibly, whereby 
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there is an advantage to provide an extended key preparing 
method by which unidirectional property of a certain 
cryptographic key towards extended keys can be maintained, 
so that even if a certain extended key leaks out, the 
5 cryptographic key can be held in secret. 

According to the invention claimed in the nineteenth 
aspect, when intermediate data are rearranged in an order 
of elements X, Y, Z, and W by the rearrangement means, a 
first data is prepared by adding the element Y to a data 

10 obtained by shifting cyclically the element X leftwards by 
1 bit; a second data is prepared by sifting cyclically the 
data leftwards by further 1 bit, which data has been obtained 
by subtracting the element W from a data obtained by shifting 
cyclically the element Z leftwards by 1 bit; and exclusive 

15 or of the first data and the second data is operated, whereby 
there is an advantage to provide an extended key preparing 
method by which irreversible conversion can be efficiently 
implemented at a high speed. 

According to the invention claimed in the twentieth 

20 aspect, a cryptographic key of 128 bits, 192 bits, or 256 
bits is divided into eight elements of 32 bits, whereby there 
is an advantage to provide an extended key preparing method 
by which the extended key can be prepared by using the same 
logic, even if the number of bits input differs in extended 

25 key. 
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According to the invention claimed the twenty-first 
aspect, binary digit string of the cryptographic key is 
divided into a plurality of elements each composed of a 
predetermined bit length; a plurality of intermediate data 
5 are prepared by applying the plurality of times an operation 
wherein a predetermined constant is used to the respective 
elements; a plurality of intermediate data corresponding 
to the number of stages of extended keys are selected from 
the plurality of the intermediate data prepared; and the 

10 extended keys corresponding to the number of stages are 
prepared by converting irreversibly the plurality of the 
intermediate data selected, whereby there is an advantage 
to provide a computer readable recording medium by which 
such extended keys required in the case where common key 

15 cryptosystem is applied can be safely prepared at a high 
speed. 

Although the invention has been described with respect 
to a specific embodiment for a complete and clear disclosure, 
the appended claims are not to be thus limited but are to 
20 be construed as embodying all modifications and alternative 
constructions that may occur to one skilled in the art which 
fairly fall within the basic teaching herein set forth. 
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